Share this story

Website drive-by attacks that try to booby trap visitors’ routers are alive and well, according to antivirus provider Avast, which blocked more than 4.6 million of them in Brazil over a two-month span.

The attacks come from compromised websites or malicious ads that attempt to use cross-site request forgery attacks to change the domain name system settings of visitors’ routers. When successful, the malicious DNS settings redirect targets to websites that spoof Netflix and a host of banks. Over the first half of the year, Avast software detected more than 180,000 routers in Brazil that had hijacked DNS settings, the company reported.

The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks. Attackers use the malicious DNS settings to phish passwords, display malicious ads inside legitimate webpages, or use a page visitor’s computer to mine cryptocurrencies.

Once infected, the spoofing may be hard for some people to spot. The spoofed site will have www.netflix.com or other legitimate URLs in the browser address bar. And logos on the page may appear identical. But thanks to the increased usage of transport layer security—the protocol that authenticates websites by putting HTTPS and a padlock in the URL—spoofing is usually easy for the trained eye to recognize. Impersonated HTTPS pages will not display the padlock. They sometimes will be accompanied by a request to accept a self-signed certificate that’s not automatically trusted by the browser.

Besides watching out for spoofed sites, people can protect themselves by keeping router firmware updated or, when updates are no longer available, replacing the router. Also key is ensuring that administrative passwords are strong. Periodically checking a router’s DNS settings is a good idea as well. It should either be blank or, better yet, use the freely available 1.1.1.1 server offered by content delivery network Cloudflare. Avast has more information on DNS hijacking here.

I don't use a router's DNS settings at all. I setup DNS on my laptop(s) and use that irregardless of what any router may have.

So, you do not set up your DNS in your DHCP server, but instead in your PCs (laptop(s) and desktops), and therefore you are not using your routers DNS.

What about your phone? Do you have an iPhone or a Non rootable android phone where the DNS can not be changed?Your gadgets like your switch or 3ds? Or your IoT dohickeys?

See, changin the DNS settings on your router (or, more correctly, your DHCP server) is part of a defense in depth strategy. On its own will not do much, but as part of a broader strategy, will do much...

Would using a non-standard internal router IP mitigate this at all, or is the malware sophisticated enough to discover those, such as by tracert'g anything and looking at the first IP address hit (i.e. the router's)?

I don't use a router's DNS settings at all. I setup DNS on my laptop(s) and use that irregardless of what any router may have.

...changin the DNS settings on your router (or, more correctly, your DHCP server) is part of a defense in depth strategy. On its own will not do much, but as part of a broader strategy, will do much...

Changing DNS settings on your router is a bare minimum, in my opinion. Obviously additional layers help, like DNSCrypt or equivalent - on iOS, you have the DNS Cloak app to help with this, and I assume Android has the same or more - on your mobile device to at least keep you on slightly better footing when outside on cellular or public wifi. A better alternative would be to roll your own VPN with DNSSEC and ad/tracker-blocking built in, but that costs money and/or requires some additional reading.

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

That is because it is false. Both Google and Cloudflare have strong privacy policies for their DNS services that specifically disallow use of request logs for any purpose other than troubleshooting the service itself.

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

The best mitigation for this kind of thing is to use a router that is centrally managed and gets software updates pushed regularly and, ideally, does not have any local HTTP services. I switched to a Google WiFi unit years ago and I know longer fret about trying to update software on netgears and whatnot.

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

That is because it is false. Both Google and Cloudflare have strong privacy policies for their DNS services that specifically disallow use of request logs for any purpose other than troubleshooting the service itself.

Once in a blue moon, I take the high road and assume I missed something...

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

That is because it is false. Both Google and Cloudflare have strong privacy policies for their DNS services that specifically disallow use of request logs for any purpose other than troubleshooting the service itself.

Google's an advertising company keen to hoover up any scrap of data they can, so I'll buy that just as soon as I buy the Brooklyn Bridge. Cloudflare at least isn't in the ad business so far as I know, so I find it easier to swallow that they probably aren't going to bother mining the request data.

use DNS 9.9.9.9 (IBM + PCH + GCA) if you want a modicum of malware protection for your IoT stuff (as a tiny part of a defense in depth strategy, with no magic silver bullets).

Use DNS 8.8.8.8 (google) if you want speed and some fredom of speech.

Use DNS 208.67.222.222 (OpenDSN/cisco) if you want a modicum of content filtering and pornography blocks (as a part of a filtering in depth strategy, with no magic bullets)

There are more options beyond those. but 9.9.9.9 and 8.8.8.8 are the ones for my use case your mileage may vary.

Note that both google (8.8.8.8/8.8.4.4) and cloudflare (1.1.1.1) are almost certainly using your DNS requests to help them customize ads and other stuff for you. If you are Ok with that then use them, but otherwise I'd recommend 9.9.9.9 (and then openDNS 208.67.222.222 or other free DNS servers like freenom - 80.80.80.80 / 80.80.81.81)

Would you be so kind as to provide a supporting source for this suggestion? I spent quite a bit of time reviewing options before settling on 1.1.1.1, and encountered nothing along these lines.

That is because it is false. Both Google and Cloudflare have strong privacy policies for their DNS services that specifically disallow use of request logs for any purpose other than troubleshooting the service itself.

Google's an advertising company keen to hoover up any scrap of data they can, so I'll buy that just as soon as I buy the Brooklyn Bridge. Cloudflare at least isn't in the ad business so far as I know, so I find it easier to swallow that they probably aren't going to bother mining the request data.

This is why I went with 1.1.1.1, because any company that, after boasting it doesn't do evil, stops saying that...

So, you do not set up your DNS in your DHCP server, but instead in your PCs (laptop(s) and desktops), and therefore you are not using your routers DNS.

What about your phone? Do you have an iPhone or a Non rootable android phone where the DNS can not be changed?Your gadgets like your switch or 3ds? Or your IoT dohickeys?

See, changin the DNS settings on your router (or, more correctly, your DHCP server) is part of a defense in depth strategy. On its own will not do much, but as part of a broader strategy, will do much...

While I 100% agree with most of what you're saying, I'd like to point out that both iOS and Android have supported changing DNS settings for years now. I can't speak for IoT and Nintendo gadgets however.

Unless those people are Frontier customers and forced to pay $10 / month for a crappy modem/router, with a locked manual update function. Frontier says it automatically distributes updates as they become available. I have no reason to believe this.

I don't use a router's DNS settings at all. I setup DNS on my laptop(s) and use that irregardless of what any router may have.

So, you do not set up your DNS in your DHCP server, but instead in your PCs (laptop(s) and desktops), and therefore you are not using your routers DNS.

What about your phone? Do you have an iPhone or a Non rootable android phone where the DNS can not be changed?Your gadgets like your switch or 3ds? Or your IoT dohickeys?

See, changin the DNS settings on your router (or, more correctly, your DHCP server) is part of a defense in depth strategy. On its own will not do much, but as part of a broader strategy, will do much...

Unless those people are Frontier customers and forced to pay $10 / month for a crappy modem/router, with a locked manual update function. Frontier says it automatically distributes updates as they become available. I have no reason to believe this.

So put your own router behind the Frontier one and turn off all the functionality you can on the Frontier one.

I'm doing this with the AT&T (Arris) router that's required to connect to AT&T's network. Got a Mikrotik hEX that's my real router and the AT&T one is just a pass-through.

So, you do not set up your DNS in your DHCP server, but instead in your PCs (laptop(s) and desktops), and therefore you are not using your routers DNS.

What about your phone? Do you have an iPhone or a Non rootable android phone where the DNS can not be changed?Your gadgets like your switch or 3ds? Or your IoT dohickeys?

See, changin the DNS settings on your router (or, more correctly, your DHCP server) is part of a defense in depth strategy. On its own will not do much, but as part of a broader strategy, will do much...

While I 100% agree with most of what you're saying, I'd like to point out that both iOS and Android have supported changing DNS settings for years now. I can't speak for IoT and Nintendo gadgets however.

"—spoofing is usually easy for the trained eye to recognize. Impersonated HTTPS pages will not display the padlock."

/Facepalm

This is plain wrong and a bad security advice. TLS does not prevent that and the advice to users to check if they see the padlock they are safe is wrong. TLS only ensures you are connected to right URL. However thtat might be spoofed site or not. It is now quite easy to get a valid TLS certificate for malicious website. I can register a domain with single letter typo, use letsencrypt to get a valid cert and make it appear as the original site. Only by checking the full url (and the certificate issuer/owner ) you can know you are safe.

Unless those people are Frontier customers and forced to pay $10 / month for a crappy modem/router, with a locked manual update function. Frontier says it automatically distributes updates as they become available. I have no reason to believe this.

So put your own router behind the Frontier one and turn off all the functionality you can on the Frontier one.

I'm doing this with the AT&T (Arris) router that's required to connect to AT&T's network. Got a Mikrotik hEX that's my real router and the AT&T one is just a pass-through.

You should do that with any provided router. Why give your ISP a view into your network?